You Thought Sarbanes-Oxley Was Bad? Wait til You See What's Coming

Get Your Waders, You're Going to Need Them

April 21, 2009

A tidal wave of new compliance regulations looks set to wreak havoc in IT departments when it hits some time in the next 12 to 18 months.

The new regulations will be introduced as a direct result of the current crisis in the financial markets, and as their scope becomes clearer they will have a huge effect on data center activities, said Chris McClean, an analyst at Forrester Research. "I reckon the impact of these new regulations has the potential to be much, much bigger than Sarbanes-Oxley," says McLean. "The push for new regulation will be enormous. When you look at the amount of people affected by Enron and WorldCom, it's small compared to those affected by the current financial crisis. IT will have to be involved in a big way."

He believes it's likely that the purpose of many of the new regulations will be to push for better corporate auditability. That's because one of the problems that may well have contributed to the financial crisis is that although banks and other financial institutions had large amounts of information about their businesses, they still made bad decisions because they couldn't access the right information when they needed it.

"Essentially, they made bad decisions because they didn't have the right technology," McClean said. The new regulations will ensure organizations have better control over the activities particular groups can carry out.

The new regulations will blow away any notion that some of the more stringent Sarbanes-Oxley requirements might be relaxed in the future, so McClean suggests organizations get their houses in order while they have time. Any other preparation is impossible. "The problem for IT departments is that although we know that new regs are coming, we won't know what they are for about 12 months."

John Bace, a research vice president in Gartner's Compliance, Risk and Leadership research group, agrees that the new regulations will have an enormous impact on IT staff workloads. "The last thing we really need is a new wave of regulations, but given the situation in Wall Street at the moment, I believe the shadow the new regulations cast will be longer than Sarbanes-Oxley," he said. However, Bace believes new regulations are inevitable, as they are key to getting confidence back into the financial system. "How was it possible that we did not know about the potential collapse of a major bank until it collapsed?" he asked. "The regulatory oversight model which we have been using was formulated in the 1930s, and it is really no longer applicable."

There are three likely strands to the new regulations when they do arrive:

A strong push for greater transparency in corporate governance

A more standardized global set of accounting practices

A push toward XBRL (eXtensible Business Reporting Language.)

In the medium term Bace said XBRL will provide a way for companies to publish real-time information on their business activities, and it's also something that could have a huge impact on IT department activities.